CVE-2020-24606

Name
CVE-2020-24606
Description
Squid before 4.13 and 5.x before 5.0.4 allows a trusted peer to perform Denial of Service by consuming all available CPU cycles during handling of a crafted Cache Digest response message. This only occurs when cache_peer is used with the cache digests feature. The problem exists because peerDigestHandleReply() livelocking in peer_digest.cc mishandles EOF.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Patch http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_9.patch
Third Party Advisory https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg
Third Party Advisory https://www.debian.org/security/2020/dsa-4751
Third Party Advisory https://usn.ubuntu.com/4477-1/
Third Party Advisory https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJJDI7JQFGQLVNCKMVY64LAFMKERAOK7/
Third Party Advisory https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMTFLVB7GLRF2CKGFPZ4G4R5DIIPHWI3/
Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html
Third Party Advisory https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BE6FKUN7IGTIR2MEEMWYDT7N5EJJLZI2/
Third Party Advisory https://usn.ubuntu.com/4551-1/
Mailing List https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html
Third Party Advisory https://security.netapp.com/advisory/ntap-20210219-0007/
Third Party Advisory https://security.netapp.com/advisory/ntap-20210226-0006/
Broken Link https://security.netapp.com/advisory/ntap-20210226-0007/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:* squid >= 3.0 < 4.13
cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:* squid >= 5.0.1 < 5.0.4

Vulnerable and fixed packages

Source package Branch Version Maintainer Status